Inline Network Address Translation Within a Mobile Gateway Router

1. A method comprising: receiving, with a mobile gateway, a request to attach a wireless device of a subscriber to a mobile wireless network; establishing, with a control plane of the mobile gateway, a packet-based network connection for the wireless device to communicate using the mobile wireless network, wherein establishing the network connection comprises assigning a private network address to the wireless device; upon establishing the network connection and prior to receiving subscriber data traffic from the wireless device, pre-allocating with the control plane of the mobile gateway a public network address and a port range for the wireless device; constructing, with the control plane of the mobile gateway, a network address translation (NAT) profile specifying the public network address and the port range and installing the NAT profile within a hardware forwarding element of the mobile gateway; upon receiving a packet of a new packet flow of the subscriber data traffic, dynamically selecting a port within the port range of the NAT profile for the subscriber with the hardware forwarding element and creating a NAT binding within the hardware forwarding element that maps the private network address for the wireless device to the public network address and the selected port; and performing network address translation on packets for the packet flow within the hardware forwarding element based on the NAT binding.

2. The method of claim 1 , wherein performing network address translation comprises: receiving outbound packets for the packet flow with the mobile gateway, each of the outbound packets having the private network address of the wireless device as a private source network address, and for each of the outbound packets, generating a translated packet with the forwarding component, wherein the translated packet includes the public network address and the selected port from the range of ports in place of the private source address and a source port of the outbound packet.

3. The method of claim 2 , wherein constructing a NAT profile comprises constructing the NAT profile to include a bit mask of a plurality of bits, each of the bits corresponding to a port within the port range and indicating whether the port is currently assigned for performing NAT for a different packet flow for the wireless device over the network connection.

4. The method of claim 3 , wherein the bit mask comprises a multi-level bit mask having a first level and a second level, each of the first level and second level having a plurality of bits, wherein each of the bits of the second level corresponds to a port within the port range and indicates whether the port is currently assigned for performing NAT for a different one of the packet flows for the wireless device, and wherein each of the bits of the first level corresponds to a different group of the bits of the second level and indicates whether at least one of the bits within the group of bits corresponds to an unused port.

5. The method of claim 1 , further comprising selecting, in the control plane the NAT profile for the wireless device from a plurality of different types of NAT profiles based on historical data for the subscriber.

6. The method of claim 1 , further comprising: storing the NAT binding within an internal cache of NAT bindings within the hardware forwarding element; upon receiving the packet the new packet flow, accessing the NAT bindings to determine whether a NAT binding exists for the new packet flow; and creating the NAT binding within the internal cache when a NAT binding does exist for the new packet flow.

7. The method of claim 1 , wherein the control plane comprise a plurality of session management cards within the mobile gateway device and the hardware forwarding element comprises one of a plurality of forwarding units coupled to the plurality of session management cards by a switch fabric, and wherein constructing a NAT profile comprises constructing the NAT profile with an anchoring one of the session management cards that anchors the subscriber session in the control plane; and wherein installing the NAT profile comprises installing the NAT profile from the anchoring one of the session management cards to an anchoring forwarding unit of the mobile gateway responsible for routing the packet flow of the subscriber data traffic.

8. The method of claim 1 , further comprising: performing, with the hardware forwarding element, route lookups to select respective next hops for the packets; and after performing network address translation on packets within the hardware forwarding element, forwarding, with the hardware forwarding element, the packets to the selected network hops.

9. A mobile gateway comprising: a plurality of interfaces configured to send and receive network packets for wireless devices of subscribers of a mobile access network; a plurality of session management cards that provide a distributed control plane to establish network connections for the wireless devices in accordance with private network addresses assigned to the wireless devices; a forwarding integrated circuit having a forwarding information base (FIB) for routing the packets between the plurality of interfaces, the forwarding integrated circuit comprising an internal network address translation (NAT) element, wherein each of the session management cards is programmed to construct for each subscriber a NAT profile upon authenticating the subscriber and prior to receiving subscriber data traffic from the subscriber, wherein the NAT profile specifies a pre-allocated public network address and port range, and wherein the session management cards are programmed to install the NAT profiles within the forwarding integrated circuit of the mobile gateway for inline NAT within the forwarding integrated circuit when routing packets for the subscribers.

10. The mobile gateway of claim 9 , wherein the forwarding integrated circuit is configured to, upon receiving a packet of a new packet flow of the subscriber data traffic, dynamically select a port within the port range of the NAT profile for the subscriber, create a NAT that maps the private network address for the wireless device to the public network address and the selected port, and perform network address translation on packets for the packet flow within the hardware forwarding element based on the NAT binding.

11. The mobile gateway of claim 10 , wherein the forwarding integrated circuit receives outbound packets for the packet flow, each of the outbound packets having the private network address of the wireless device as a private source network address, and wherein, for each of the outbound packets, the forwarding integrated circuit generates a translated packet that includes the public network address and the selected port from the range of ports in place of the private source address and a source port of the outbound packet.

12. The mobile gateway of claim 9 , wherein a first type of the NAT profiles comprises a bit mask of a plurality of bits, each of the bits corresponding to a port within the port range and indicating whether the port is currently assigned for performing NAT for a different packet flow for the wireless device over the network connection.

13. The mobile gateway of claim 12 , wherein the bit mask comprises a multi-level bit mask having a first level and a second level, each of the first level and second level having a plurality of bits, wherein each of the bits of the second level corresponds to a port within the port range and indicates whether the port is currently assigned for performing NAT for a different one of the packet flows for the wireless device, and wherein each of the bits of the first level corresponds to a different group of the bits of the second level and indicates whether at least one of the bits within the group of bits corresponds to an unused port.

14. The mobile gateway of claim 9 , wherein the session management cards are programmed to select the NAT profiles for the subscribers from a plurality of different types of NAT profiles based on historical data for the subscribers collected by the forwarding integrated circuit.

15. The mobile gateway of claim 9 , wherein the forwarding integrated circuit includes an internal cache of NAT bindings.

16. A method comprising: receiving, with a mobile gateway, a request to attach a wireless device of a subscriber to a mobile wireless network; establishing, with a control plane of the mobile gateway, a packet-based network connection for the wireless device to communicate using the mobile wireless network, wherein establishing the network connection comprises assigning a private network address to the wireless device; upon establishing the network connection and prior to receiving subscriber data traffic from the wireless device, pre-allocating with the control plane of the mobile gateway a public network address range and a port range for the wireless device; constructing, with the control plane of the mobile gateway, a network address translation (NAT) profile specifying the public network address range and the port range and installing the NAT profile within a hardware forwarding element of the mobile gateway; upon receiving a packet of a new packet flow of the subscriber data traffic, dynamically selecting a public network address within the public network address range and a port within the port range of the NAT profile for the subscriber and creating a NAT binding within the hardware forwarding element that maps the private network address for the wireless device to the selected public network address and the selected port; and performing network address translation on packets for the packet flow within the hardware forwarding element based on the NAT binding.

17. The method of claim 16 , wherein constructing a NAT profile comprises constructing the NAT profile to include a first bit mask for the public network address range and a second bit mask for the port range, wherein each of the bits of the first bit mask corresponds to a public network address within the public network address range and indicating whether the public network address is currently assigned, and wherein each of the bits of the first bit mask corresponds to a port within the port range and indicating whether the port is currently assigned for a different packet flow for the wireless device over the network connection, wherein each of the first bit mask and the second bit mask comprises a multi-level bit mask having a first level and a second level, each of the first level and second level having a plurality of bits, wherein each of the bits of the second level for the first bit masks corresponds to a public network address within the public network address range and indicates whether the public network address is currently assigned, wherein each of the bits of the second level for the second bit masks corresponds to a port within the port range and indicates whether the port is currently assigned for performing NAT for a different one of the packet flows for the wireless device, and wherein, for both the first bit mask and the second bit mask, each of the bits of the first level corresponds to a different group of the bits of the second level and indicates whether at least one of the bits within the group of bits corresponds to an unused port.